I am developing an application that uses Speckle as a data transfer framework (only). Meaning, users from my application do not know about Speckle (connectors, frontend…) at all. I have a server application that talks to Speckle and I am using the ADMIN_OVERRIDE_ENABLED=true plus an ADMIN account to manage things server side. Now…
Objective: I want to use the Speckle.Core library to send data from my application without the need for my users to authenticate with Speckle. Right now I could have my backend use my speckle admin account to create a token with streams:write scope and a very short lifespan.
Issue: The issue is that even with a short lifespan, and only one scope, my token is still an admin token right? That’s not a major security issue at the moment since our application is only internal, but its something we would like to address.
Example: I don’t have one, but I have a simplified diagram of what we’re working with.
That’s also a possible solution. Although I tried that road and it became not so easy to manage our own user accounts together with speckle user accounts. The main issue was: users from my application might use our organization’s speckle server for other reasons (e.g. normal speckle usage through the connectors). If my application is managing speckle user accounts there might be a conflict of interest.
The way my application is looking to use Speckle is similar to what I see as “service accounts”, where my server acts with its own identity (my admin account). Which I see on the documentation is not currently supported.
